This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Scottc98
Advisor
‎2023-06-30 02:57 PM

External IOC - Log questions

Hello,

I've been testing out some external IOCs for a production rollout and was hoping to get some understandings on some of the log messages.   I have 3 feeds running for testing:   one IP host list, one url list and one domain list.

When looking at "blade:Anti-Virus AND type:Control" in smartconsole, I get these logs under the 'forensics Details => Description" and what my understanding is:

  • External IOC - Fetch succeeded
    • I know that the configs are setup to fetch the feed every 5min but the log seems to show up only when there was an actual update to the feed txt/csv file on the remote server.
      • So....my understanding is when i see this message it means at least 1 of the 3 feeds had an update and such fetch is good.
  • External IOC - Partial success, IP_TEST: Success, URL_TEST: Success, DOMAIN_TEST: Feed format problem. Empty feed"
    • I read this the same as the above message except that one of the feeds had a problem due to the feed having no domains listed (which was the test case).    The other two feeds 'fetched' 
  • External IOC - External Indicators processing failed
    • This one seems straightforward to me as it detailed out that the processing failed and the reason.
      • Our reason was "Couldn't connect to server"; which is accurate during our testing and the remote server was down.
      • I also noticed that I got this message every 5 min; which solidifies that the GW was attempting updates within the defined interval.    

So.....now my questions 🙂 

  1. Is my understanding about these 3 log messages correct?
  2. If so, is there any way to get a "External IOC - Fetch succeeded" type message that includes the actual feed that was updated verse getting the general one I got here?
    1. When I look at the partial success one, I can see the details of all 3 feeds, the 2 that updated and the other one with the error.   
    2. For our testing, I would like to get a more clear log of the success of the single feed we updated that our SIEM can filter on as a means to know our updates were processed.
      1. I noticed that "External IOC - Fetch succeeded" messages can get noisy depending on the # of feeds you use; especially on a 3rd party one that might update a lot.
      2. Therefore, our key is to have our feed file update => allow our GWs to fetch every 5min => log back when the update was successfully updated for the given feed => avoid the manual labor of logging into various GWs to validate the feed in question updated 😉

 

Thanks in advance 🙂

 

**note**

GW & MGMT running R81.10 Take 95

 

 

 

 

 

 

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2023-07-01 08:40 AM

As far as I know, you have a clear understanding of this.
Unfortunately, I don't believe you can change the detail of the logging about what feeds were updated.
It's possible this is improved in R81.20 where we can support a larger number of indicators and Network Feeds are an option.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events